Trying to control capacity utilization for guest users connecting to a 2960 switch. No problem for IPv4 users, but IPv6 is giving me fits. What I've found out by trial and error so far implies that there is just enough IPv6 smarts in a WS-C2960-24TT-L running
c2960-lanbasek9-mz.150-1.SE to make it impossible to control IPv6 traffic. Blocking IPv6 would be sufficient short term, but MAC filtering on type 0x86DD does not appear to work either. Here are the results I've gotten so far:
* Protocol ipv6 or an IPv6 ACL in a class map.
* Using a class map referencing ipv6 protocol or an ipv6 ACL in a policy map.
* IPv4 inbound filters and policing.
* Blocking of IPv4 traffic by a MAC ACL blocking type 0x0800 (IPv4) - note that the docs explicitly state that MAC filters do NOT filter IP traffic, except for on this box on this release they do.
What does not work:
* Applying a policy map referencing a class map referencing protocol ipv6 or an IPv6 ACL to an interface. The service policy is accepted by the parser, but is not inserted into the running configuration.
* "class-default" in a policy map only matches IPv4 traffic, not all other traffic.
* Blocking of IPv6 traffic by a MAC ACL blocking type 0X86DD. No problem applying the access-group to the interface, it just doesn't do anything.
I am aware that this box is not supposed to support IPv6 other than for multicast, but as implemented, this is a hole an abuser could drive a MAC truck through.
Is this situation unique to this particular 2960 switch or SW release (I also tried 12.2(58)SE2) or does it afflict all 2960's running LANbase?
Is there a known workaround?
Assuming the answers to the first two question are negative, what is the minimum requirement to get working IPv6 policing in an edge switch?
Cisco SD-Access 18.104.22.168 Features OverviewBorder handoff enhancements: 4-byte ASNEmbedded wireless support on Fabric edgeFiaB deployment models:Multiple VN for Guest Access in Cisco SD-AccessCisco SD-Access Group-Based Access Control PolicyCisco SD-Access ...
. My work contains abbundance of networking gear.i have 3945 routers with attatched nme,3850 switches 48 gig port with 4 tengig port,3850 switch with 16 fiber ports, fortigate 600d along with servers with 8tbs of free space.if you have any labs for me id ...
Hello I have a network in prodcution like it mensionned in this picture. The customer wants to renovate the current infrastructure by changing all the hardware. For this reason we had think about deploying DNA Center and make automat...
I want to show how to quickly and reliably troubleshoot a network using notepad++.If you are not using Cisco GENIE and your network is not very big and you have several routers/switches only.For illustration, I created a simple topology.First, the loopbac...
Join us on Tuesday, October 15 at 10:00 am PT to to learn how Equinix and Cisco enable multicloud and Hybrid IT access.
Digital transformation initiatives are driving the adoption of internet, cloud, mobile and IoT technologies. In order t...